This website uses cookies for advertising and analytics purposes as described in our cookie policy. For more information and to set preferences, please click here. By continuing to browse this website, you accept our use of cookies.

Could formjacking affect your organization?

Threat actors are always one step ahead, so after ransomware and cryptojacking, they have latched to a new, high-return attack: formjacking.

Incidents of formjacking
attacks – where hackers inject malicious JavaScript code into a website to skim
data – rose steadily in the second half of last year. These small lines of code
are very hard to detect but very effective. While formjacking can scrape data
from any element of web browsing, it’s mostly targeted at ecommerce sites. One
researcher, Willem
de Groot, estimates that at least 50 e-merchants a day were being
hacked between November and February.

Formjacking tools,
like those used by the hacker collective, the Magecart group, are exceptionally
flexible and can compromise hundreds of thousands of websites, often via
extensions, making it a very profitable attack method for criminals.

What’s
more, the Magecart group
exploits new
vulnerabilities very quickly. Worryingly, it seems that when
organisations discover new vulnerabilities in their ecommerce software, they
also find that these have already been exploited.

Many CISOs at large
enterprises may be wondering, “What has this got to do with me?” In today’s
cloud-based world, where one interaction can affect thousands of others, that attitude
conjures up imagery of an ostrich with its head in the sand.

It’s true that formjacking
is currently focused on e-commerce and the theft of credit card details, but as
we’ve seen, the targets of cyber-attacks are continually evolving. It’s worth
remembering that formjacking can target any type of data entered into a form,
via the web, including log-in information and employee details.

At the same time, nearly nine in ten organisations are
currently undertaking at least one cloud-based digital transformation project
(IDC). As these enterprises progress their digital transformation
strategies, they are increasingly developing apps via
infrastructure-as-a-service (IaaS). This makes them vulnerable to formjacking
attacks, which can prey on any type of web-based data collection. To me this
isn’t just a red-flag, it’s another point of evidence to convince board-room
colleagues that it’s time to embark upon a security transformation programme.

It’s clear that forward-thinking
CISOs need to have formjacking on their radar. Here are three simple steps you
can take to help protect your organisation from these attacks:

As a first
step I recommend reviewing and strengthening your security governance process;
so, it’s both proactive and reactive. Consistency is key here. It’s important
you follow the same security procedures and guidelines for all plug-in modules
and extensions ensuring strong levels of security are embedded in the
development process for all web applications. As well as keeping abreast of security
bulletins and patches accordingly, it’s important to perform your own regular
vulnerability assessments. It can be useful to pilot any new software updates
in small test environments because this helps highlight unusual behaviour in
the script.

It’s important
that businesses developing apps via cloud-based infrastructure ensure that they
rethink their legacy security solutions.
Traditional security approaches do not cover the myriad attack surfaces
of a cloud-enabled enterprise. One
approach is to consider a Cloud Access
Security Broker (CASB). Businesses are
increasingly turning to CASB to address cloud service risks, providing
visibility, compliance, granular access control, threat protection, data
leakage prevention, and encryption, even when cloud services are beyond their
perimeter and out of their direct control.

With current formjacking attacks, merchants are often blissfully unaware of the vulnerabilities in their installed extension base. They may have fantastic security governance and have patched everything while following all security guidance. However, if they haven’t been told by their vendor that there are newly discovered vulnerabilities, they may still be running vulnerable component and therefore be unprotected. This underlines the importance of your supplier relationship – something that is as salient to enterprise CISOs as it is to ecommerce merchants. It’s not enough to investigate the credibility of a supplier before using their software. You’re entering into a long-term working partnership with them and therefore, it’s vital to invest time making this a strong relationship based on mutual trust, where you can be open about potential vulnerabilities and work to address them together.

For more information on how to protect your business against formjacking, visit our solutions page﻿